Mobile app security testing
Languages have their own nuances. Like a firewall or server, proper configuration syntax and attention to platform niceties can make or break security. Whether or not you’re handling sensitive data, applications (especially of the web variety) can be the first leg an attacker takes when breaching a network from the outside, leading to further access vectors within the organization. With specialist insight and a handful of helpful tools, a code review can make all the difference to an application’s security.
Static Code Analysis
Static analysis is a powerful capability that evaluates all execution paths within the application for vulnerable patterns.
Static analysis is capable of detecting vulnerabilities caused by insecure configurations, such as using weak cryptographic ciphers, or vulnerabilities caused by accepting untrusted input without validation. Powered by a combined fingerprinting engine that understands all major frameworks such as Cordova, Ionic, Xamarin or React Native and all popular package management systems like Gradle, Cocoapods, npm or nuget, our scans are able to detect vulnerable dependencies.
Additionally, with manual procedures carried out by our specialists, it is possible to detect attack vectors and report vulnerabilities related to data transmission, in the communication between APIs, Web Services and related components.
Dynamic Code Analysis
Dynamic analysis monitors the behavior of the application on a real device. Using debug-based analysis, dynamic instrumentation is compatible with the latest version of Android and iOS and provides results with no false positives.
Dynamic analysis also uses tester (software) to interact with the application to maximize coverage during testing. In this way it is able to heuristically identify login forms, payment menu or shipping addresses. Behavioral analysis enumerates the attack surface of the application and injects it with attack data to detect vulnerabilities.
These vulnerabilities range from SQL injection to memory corruption. The behavioral analysis performed implements an advanced evolutionary approach that provides high coverage within the application.
Backend analysis, exploits
Backend scanning uses API requests collected during dynamic scanning to crawl the backend server and detect vulnerabilities. Backend analytics is designed for mobile apps and understands API serialization protocols like REST, GraphQL, or Protobuf. Backend fuzzing uses a novel approach powered by machine learning, which provides advanced detection capabilities with a very low number of requests.